Stay informed with the latest insights and updates

Two recent BC Court of Appeal decisions revive support for Canadian data breach class actions after the viability of such proceedings was recently stifled by a trio of decisions by the Ontario Court of Appeal.

Privacy regulators across Canada are signalling an increased focus on a particular risk area: namely, reliance on service providers. This article explores various key developments. 

Canadian organizations implementing artificial intelligence products to process personal information are currently working in a vacuum, with no definitive standards or frameworks to guide them. However, a recent report by Ontario's IPC provided recommendations for ensuring the privacy-protective adoption of such technologies.

After experiencing a cyber attack, organizations tend to keep a tight grip on incident-related information, often by asserting some sort of legal privilege. In LifeLabs LP v. Information and Privacy Commr. (Ontario), a panel of the Divisional Court of Ontario’s Superior Court of Justice found that legal privileges asserted by LifeLabs did not apply to, among other things the forensic investigation report prepared by a third-party cybersecurity consultant.

In R v. Bykovets, the Supreme Court found that there is a reasonable expectation of privacy in IP addresses and, as such, law enforcement need judicial pre-authorization to obtain access to them. This article provides a brief overview of the SCC’s decision and discusses important considerations under Canadian privacy law when determining the extent to which a business may disclose personal information to law enforcement without consent.

On February 2, 2024, the Supreme Court of Canada ruled that Ontario Premier Doug Ford’s mandate letters issued to his cabinet ministers in 2018 are exempt from public disclosure.

This article examines how existing law and upcoming legal reforms can be applied to address AI revenge porn. So far, the law has been slow to respond, though federal AI legislation on the horizon aims to regulate organizations that develop AI systems and make them available for use.

As another year has come to an end and we have already embarked on a new year, we take this opportunity to reflect on a number of significant changes to Canadian privacy law. From promising developments to proposed legislation to a groundbreaking investigation, there is much to review as we head into 2024. This article reviews the top five recent developments we encountered this year.

On December 7, 2023, the Office of the Privacy Commissioner of Canada released an article with nine principles intended to guide developers, providers and organizations to properly navigate the development and use of generative artificial intelligence. Privacy concerns arise where the AI is trained on data sets that include personal information.

The Federal Court of Appeal recently upheld the ruling of the Federal Court wherein it was held that the Personal Information Protection and Electronic Documents Act (PIPEDA) should apply to Google’s search engine results, as they have a commercial interest in it by way of ads and also connecting two players.

Generative AI tools like ChatGPT, Cohere, and DALL-E2 are popular tools that allow organizations to generate images, text, sounds and creative content based on a prompt. While these tools can provide practical benefits such as improved efficiency and productivity, they raise privacy risks which are important to mitigate.

Redirecting bank wire transfers has become an increasingly common method of fraud, frequently perpetuated through hacking or otherwise impersonating individuals representing a business. In the aftermath, there is often dispute about who bears responsibility for the financial loss: the company that mistakenly sent funds to the wrong bank, or the company whose email was hacked.

In a matter of months, generative AI has been adopted ravenously by the public, thanks to programs like ChatGPT. The increasing use (or proposed use) of generative AI by organizations has presented a unique challenge for regulators and governments across the globe. This article summarizes some of the key legislation or proposed legislation around the world that tries to strike the balance between fostering innovation while mitigating risks associated with the technology.

On April 4, 2023, Canada’s Privacy Commissioner, Philippe Dufresne, launched an investigation into OpenAI after having received a complaint alleging the collection, use and disclosure of personal information without consent.

Facial recognition technology has become increasingly popular among businesses for various applications, including security, marketing, and customer service. However, with the widespread adoption of this technology, there are growing concerns over its potential impact on privacy, human rights, and data protection.

In this article, we focus on the importance of data security diligence, tips for the diligence process, and mitigation strategies for companies that have identified risks and wish to proceed with the deal. We also discuss the need to assess and quickly remediate any flaws in a target company’s data security posture following a transaction.

The U.S. National Institute of Standards and Technology recently released version 1.0 of its Artificial Intelligence Risk Management Framework. The goal of the framework is to provide a voluntary, rights-preserving, sector- and use-case agnostic guide for AI actors to implement in order to promote trustworthy and responsible AI systems.

In the wake of various high-profile security breaches, now may be a good time for businesses to re-acquaint themselves with the applicable Canadian statutory framework for the protection of personal information, as well as implement or update policies and procedures around breach detection and notification.

2022 was an eventful year for privacy law in Canada. The Canadian privacy landscape saw significant changes, as stakeholders at all levels recognized the need to keep up with a data-driven world. This article summarizes the top five recent developments that businesses and stakeholders should be aware of.

The Court of Appeal for Ontario recently considered and definitively determined the issue of whether organizations that collect and store personal information about individuals for commercial purposes can be held liable for the tort of “intrusion upon seclusion” if they fail to take adequate steps to protect the information from third-party “hackers”.

Having gained substantial leadership experience as a privacy officer, what follows in this article is the perspective the author gained in these unique and essential roles. Each mandate, while quite different in practice, harvested similar lessons that I believe every practitioner working in the privacy sector should adopt to maximize their effectiveness within their organization. The following are seven key lessons every privacy officer or practitioner should know.

On September 22, 2022, the first set of amendments from Bill 64 will come into force. Although most amendments will come into force in September 2023, below we highlight significant changes in force this September.

Mobile applications have become synonymous with organizations’ outreach initiatives. The recent joint investigation by federal and provincial privacy authorities into the Tim Hortons app emphasizes the need for companies to consider Canadian privacy laws when designing their apps.

Shalom Cumbo-Steinmetz and Alina Butt discuss key takeaways from a recent Divisional Court decision overturning certification in a data breach class action involving private health information.

Ronak Shah and George Boynton Payne discuss a growing trend among organizations to include privacy and data governance metrics and disclosure as part of their environmental, social and governance (ESG) reporting framework, and highlight practical steps an organization can take to move beyond a traditional regulatory compliance approach to privacy and security.

The common law tort of intrusion upon seclusion continues to develop, as does its use in the class action context. Chloe Snider and Hala Abdul Ghani explore four recent decisions that demonstrate a shift in the use of this tort in large data breach cases.

On December 14, 2021, the British Columbia, Alberta and Quebec privacy regulators issued separate legally binding orders directing Clearview AI to comply with recommendations made in their recent Report of Findings coauthored with the Office of the Privacy Commissioner of Canada. Ellen Xu explores the practices that gave rise to the investigation against Clearview and the recommendations with which Clearview has been ordered to comply.

On November 1, 2021, the new law governing privacy in the People's Republic of China (PRC) came into effect. The Personal Information Protection Law (PIPL) contains substantive privacy obligations and has the potential to significantly impact organizations operating both within and outside of the PRC. Nicholas Wall provides an overview of PIPL's scope of application, central principles and restrictions on cross-border transfers.

The ONCA’s affirmation of the Superior Court decision in Wakeling illustrates some of the basic components and considerations of the tort of intrusion upon seclusion.